x1881 Ransomware - How to Remove and Restore Encrypted Files
THREAT REMOVAL

x1881 Ransomware – How to Remove and Restore .x1881 Files

This article aims to help you by explaining how to remove the x1881 ransomware from your computer and how to restore files that have been encrypted with added .x1881 one.

A ransomware virus, known as the x1881 ransomware has been reported to infect victims’ computers and encrypt the files on them, using the AES encryption algorithm. The malware aims to perform various encryption tasks which leave the files no longer able to be opened and with an added either random file extension or the .kgpvwnr one. The malware also aims to drop it’s ransom note file, named _HELP_INSTRUCTION.TXT and it aims to convince victims into paying a hefty ransom fee to get the cyber-criminals to decrypt the files. If you are one of the victims of the x1881 ransomware, we recommend that you read this article fully in order to learn how to remove this ransomware and restore the encrypted files by it.

Threat Summary

Namex1881 Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files and then drops a ransom note, asking victims to pay money in order to get the files decrypted again.
SymptomsAims to encrypt the files on your computer via the AES cipher and they are added .x1881 file extension afterwards. Drops ransom note, which is named either _HELP_INSTRUCTION.TXT
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by x1881 Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss x1881 Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

x1881 Files Virus Distribution Methods

The x1881 ransomware is a virus which has been reported to be a variant of CryptoMix, which if modified properly, can be turned into a very dangerous ransomware. The creators of the virus are known by their handles “Shark”, “Error” and “Empty”. They may have embedded the virus in different forms in order to spread it:

  • Malicious e-mail attachment.
  • Malicious software setup.
  • Fake key generator or game crack.

The most often spread method which is also used by more than 80% of ransomware viruses, like x1881 out there has been reported to be via spam e-mails. Those e-mails either have the malicious file as an attachment or link a third-party site in them from which it can be downloaded, for example:

x1881 Ransomware – Malicious Activity

Once this ransomware virus has been initiated on your computer, the malware drops it’s payload files on the infected machine. The malicious file which has been associated with this ransomware has the name Ripple, similar to the company Ripple, behind the XRP cryptocurrency. The malicious files of this virus may be located in the following Windows locations:

  • %Program Data%
  • %AppData%
  • %Temp%
  • %Roaming%
  • %Local%

In addition to this, the virus also drops a ransom note file, named _HELP_INSTRUCTION.TXT and it has the following message to victims:

Hello!
Attention! All Your data was encrypted!
For specific informartion, please send us an email with Your ID number:
x1881@tuta.io
x1883@yandex.com
x1881@protonmail.com
x1884@yandex.com
Please send email to all email addresses! We will help You as soon as possible!
DECRYPT-ID-[id] number

After the ransom note of the ransomware is dropped, x1881 files virus may attack the Windows registry editor of the infected computer and modify the following registry sub-keys to make it’s malicious executables run automatically on system start:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After this has been done, the x1881 ransomware may also perform other activities on the victim’s PC, such as delete the Shadow Volume Copies of it via the following commands:

→ sc stop VVS
stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
vssadmin.exe Delete Shadows /All /Quiet
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures

After doing so, the ransomware can begin encrypting the files on your computer.

x1881 Files Virus Encryption

The encryption process of this virus is done via the most sophisticated encryption method of all – a combination of the AES and RSA encryption algorithms. The malware begins to perform the encryption process by firstly encrypting the files on the infected computer via the AES encryption algoithm, thus generating a symmetric decryption key after which the ransomware may begin to encrypt the decryption keys of each file, generating unique RSA keys, which are known to the cyber-criminals. The files, targeted for encryption are reported to be the following:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

After the encryption process of this ransomware has completed, It renames the encrypted files, so that the important ones are not recognizable and adds the x1881 file extension to them. This results in files encrypted by x1881 ransomware to appear like the following:

Remove x1881 Ransomware and Restore .x1881 Files

In order to remove this virus from your computer, we strongly recommend that you focus on following the instructions below. They are specifically designed to help you remove this infection either manually or automatically. For maximum effectiveness of the removal, security experts strongly recommend to use an advanced anti-malware software which will scan the malicious files of x1881 ransomware and remove them automaticaly.

If you want to restore files that have been encrypted by the x1881 virus, it is recommended to see our alternative suggestions in step “2. Restore files encrypted by x1881 Virus” below. They may not be 100% effective, but may help you restore as many files as possible without you having to pay for decryption.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...